Privacy Policy
Last updated: March 2026
1. Who We Are
Pikaboo Enterprises ("we", "us", "our") operates the Pikaboo video calling platform. We provide private, encrypted video calling services to charities and organisations ("Clients") who deploy instances for their teams.
- Entity: Pikaboo Enterprises
- Country: United Kingdom
- Contact: privacy@pikaboo.app
2. What This Policy Covers
This policy explains what personal data we collect, why we collect it, how we store it, and your rights. It applies to all users ("you") of any Pikaboo instance hosted on our infrastructure.
3. Data We Collect
3.1 Data We Store
| Data | Purpose | Storage Location | Retention |
|---|---|---|---|
| Username | Identify authorised users | Upstash Redis (EU) | Until removed by admin |
| TOTP secret | Authenticator-based login | Upstash Redis (EU) | Until admin resets or removes user |
| Session token | Maintain login state | Upstash Redis (EU) | Auto-expires after 30 minutes |
| Last TOTP time step | Prevent code replay attacks | Upstash Redis (EU) | Overwritten on each login |
3.2 Data We Process but Do Not Store
| Data | Purpose | Notes |
|---|---|---|
| IP address | Rate limiting (anti-abuse) | Held in server memory only, never written to disk or database. Cleared when the rate limit window resets (60 seconds) |
| TURN relay traffic | Relay encrypted media when direct connection fails | Handled by Cloudflare. Encrypted packets pass through but cannot be decrypted by us or Cloudflare |
| File transfer metadata | Coordinate peer-to-peer file transfer | File name, size, and SHA-256 hash exchanged between peers via data channel. Never sent to or stored on our server. Discarded when session ends |
3.3 Data We Never Collect
- Email addresses
- Phone numbers
- Passwords
- Real names (unless used as a username)
- Call audio or video content
- Chat message content
- Files transferred between peers (sent directly browser-to-browser, never through our server)
- Call metadata (who called whom, duration, timestamps)
- Device fingerprints or tracking identifiers
- Cookies (the platform uses no cookies)
- Analytics or telemetry data
4. How Calls Work - Why We Can't Access Your Data
Pikaboo uses WebRTC (Web Real-Time Communication) for all video and audio calls:
- Calls are peer-to-peer - audio and video travel directly between browsers, not through our server.
- All media is encrypted with DTLS-SRTP (Datagram Transport Layer Security / Secure Real-time Transport Protocol). This encryption is handled by the browser and cannot be disabled.
- Our server's only role is signaling - it helps the two browsers find each other. Once the call connects, the server is not involved.
- If a direct connection is not possible (e.g. restrictive firewall), Cloudflare's TURN relay forwards the encrypted packets. Neither we nor Cloudflare can decrypt this traffic.
- Chat messages (Pro/Enterprise tiers) are sent over WebRTC data channels - also peer-to-peer and encrypted. Messages are never sent to or stored on our server.
- Live captions (Enterprise tier) are generated entirely on your device using an on-device speech recognition engine (Sherpa-ONNX). No audio is sent to any external service for transcription. The speech model (~183 MB) is downloaded once from our server and cached in your browser. All processing happens locally - caption data is ephemeral and discarded when the call ends.
- File transfer (Pro/Enterprise tiers) sends files directly between browsers over the same peer-to-peer connection used for calls. Files are encrypted with DTLS and never pass through our server. File transfer is disabled when the connection uses a relay server (TURN), ensuring no third party handles your file data. File metadata (name, size, hash) is exchanged between peers only and is not logged or stored anywhere. All file data is discarded when the session ends.
5. Lawful Basis for Processing (GDPR)
| Data | Lawful Basis | Explanation |
|---|---|---|
| Username, TOTP secret | Legitimate interest (Article 6(1)(f)) | Necessary to authenticate users and prevent unauthorised access |
| Session token | Legitimate interest (Article 6(1)(f)) | Necessary to maintain login state for the duration of a session |
| IP address (in memory) | Legitimate interest (Article 6(1)(f)) | Necessary to prevent brute-force attacks and abuse |
We do not rely on consent as our lawful basis because the processing is minimal and strictly necessary for the service to function securely.
6. Where Your Data Is Stored
| Service | Role | Location | Provider Privacy |
|---|---|---|---|
| Hetzner Cloud | VPS hosting (server, signaling) | Falkenstein, Germany (EU) | hetzner.com |
| Upstash | Redis database (auth data) | EU region | upstash.com |
| Cloudflare | DNS, TLS certificates, TURN relay | Global (anycast) | cloudflare.com |
All stored personal data (usernames, TOTP secrets, sessions) resides in the EU.
7. Data Sharing
We do not sell, trade, or share personal data with third parties for marketing or any other purpose.
Data is only processed by our sub-processors (Hetzner, Upstash, Cloudflare) as strictly necessary to operate the service.
8. Data Retention
| Data | Retention Period |
|---|---|
| Username | Until removed by a tenant admin |
| TOTP secret | Until reset or user removed by admin |
| Session token | Auto-deleted after 30 minutes |
| IP address (memory only) | Cleared after 60 seconds |
We do not retain any data beyond what is listed above. There are no backups of call content because no call content is ever stored.
9. Your Rights (GDPR)
Under the UK GDPR and EU GDPR, you have the right to:
- Access - request a copy of your personal data
- Rectification - request correction of inaccurate data
- Erasure - request deletion of your data ("right to be forgotten")
- Restriction - request we limit how we process your data
- Portability - receive your data in a structured, machine-readable format
- Object - object to processing based on legitimate interest
To exercise any of these rights, contact privacy@pikaboo.app. We will respond within 30 days.
For username/TOTP deletion, your tenant admin can also remove your account immediately via the admin panel.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been mishandled.
10. Children
Pikaboo is provided to organisations for use by their authorised staff and beneficiaries. We do not knowingly collect data from children under 13. If you believe a child's data has been processed, contact us at privacy@pikaboo.app.
11. Changes to This Policy
We may update this policy from time to time. Changes will be reflected in the "Last updated" date at the top. For significant changes, we will notify our Clients who will inform their users.
12. Contact
For any questions about this policy or your personal data:
Email: privacy@pikaboo.app